b'                                     Executive Summary:\n                                     Security Control Review of the\n                                     CFPB\xe2\x80\x99s Cloud Computing\xe2\x80\x93Based\n                                     General Support System\n\n2014-IT-C-010                                                                                                July 17, 2014\n\nPurpose                                     Findings\n\nThe Federal Information Security            Overall, we found that the CFPB has taken a number of steps to secure its cloud\nManagement Act of 2002 (FISMA)              computing\xe2\x80\x93based GSS in accordance with FISMA requirements. However, we\nrequires the Office of Inspector General    found that improvements are needed to ensure that FISMA processes and\n(OIG) to evaluate the effectiveness of      controls are effective and consistently implemented across all information\nthe information security controls and       security areas for the GSS. Our report includes recommendations to strengthen\ntechniques for a subset of the agency\xe2\x80\x99s     security controls for the GSS in four information security areas: system and\ninformation systems, including those        information integrity, configuration management, contingency planning, and\nprovided or managed by another              incident response.\nagency, a contractor, or another\norganization. To meet FISMA                 The Chief Information Officer concurred with our recommendations and outlined\nrequirements, we reviewed the               actions that have been or will be taken to address our recommendations. We will\ninformation system security controls for    follow up on the implementation of each recommendation in this report as part of\nthe Consumer Financial Protection           our future audit activities related to the CFPB\xe2\x80\x99s continuing implementation of\nBureau\xe2\x80\x99s (CFPB) cloud computing\xe2\x80\x93            FISMA.\nbased general support system (GSS).\n                                            Given the sensitivity of information security review work, our reports in this area\n                                            are generally restricted. Such is the case for this audit report.\nBackground\n\nThe CFPB\xe2\x80\x99s strategic plan emphasizes\nthe need for a flexible, scalable\ninformation technology (IT)\ninfrastructure that is capable of meeting\ncurrent needs and sustaining the\nagency\xe2\x80\x99s future growth. To meet this\nobjective, the CFPB has invested in a\ncloud computing\xe2\x80\x93based GSS that\nprovides the IT infrastructure to support\nthe agency\xe2\x80\x99s applications and common\nenterprise services, such as e-mail,\ninstant messaging, and file storage. The\nGSS is jointly managed and operated by\nthe CFPB and a third party, and it is\nclassified as a moderate-risk system.\n\n\nFor more information, contact the OIG at 202-973-5000 or visit http://oig.consumerfinance.gov.\n\x0c'